In regards to the WebDav thread. ---------- Forwarded message ---------- Date: Wed, 19 Mar 2003 21:57:58 -0700 (MST) From: Sean Hittel <seanhat_private> To: aris-usersat_private Subject: Microsoft Windows 2000 WebDAV buffer overflow vulnerability signature available Hello, The Symantec DeepSight Threat Analyst Team has created a Snort signature for the Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability (http://www.securityfocus.com/bid/7116). The following Snort signatures are known by the Threat Analyst Team to detect certain attack vectors of the Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content: "Translate|3a| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1042; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webdav search access"; flow:to_server,established; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:5;) However, neither of the above signatures will detect the nature of the vulnerability. It has been discovered that this vulnerability can be exploited without the use of the "Translate: f" HTTP header. While the Threat Analyst Team is not aware of any exploits in the wild that target this vulnerability without using the "Translate: f" verb, the Nessus vulnerability testing engine is known to contain a proof of concept exploit for this vulnerability that does not utilize the "Translate: f" verb. The second signature above will trigger on the Nessus proof of concept exploit found in iis_webdav_overflow.nasl. However, the Threat Analyst Team is aware of methodologies of exploiting this vulnerability which will not trigger either of the above signatures. As a result, the Threat Analyst Team has created the following signature, which will detect all known variations of exploits for this vulnerability. alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Miscellaneous long HTTP WebDAV request"; content:" /"; content:!"|0a|"; within:30000; flow:to_server; reference:Bugtraq,7116; rev: 2; ) Although it was originally thought that the buffer required for exploitation was 64Kb, further analysis leads the Threat Analysis Team to believe that the buffer required for exploitation may be 32kB in size, rather than the 64kB used by the Nessus proof of concept exploit. This is presently being researched further. In spite of preliminary binary analysis of NTDLL.DLL leading us to believe the buffer is 32kB in size, the Threat Analyst Team has not been able to crash IIS using a 32kB buffer with any high degree of reliability. Since a HTTP request of the format "/<more than 30000 characters>|0a|" is anomalous on most networks, the signature has been modified to include this possibility. The DeepSight Threat Analyst Team is not aware of any situations in which our Snort signature would produce any false negatives. This rule may cause false positives in some environments, especially those that employ non HTTP-based protocols over TCP port 80. The rule has been designed to detect a long HTTP request URI by keying on the first instance of the "/" character in the HTTP request, and ensuring that a newline is not present within a certain threshold of characters. If this signature produces excessive false positives, the signature can be modified to look for a 60000 byte buffer as follows: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Miscellaneous long HTTP WebDAV request"; content:" /"; content:!"|0a|"; within:60000; flow:to_server; reference:Bugtraq,7116; rev: 2; ) Sean Hittel Symantec DeepSight Threat Analyst http://analyzer.securityfocus.com/ ---------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM: http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30 : Thu Mar 20 2003 - 11:39:51 PST